CVE-2026-25905 identifies a vulnerability in the 'mcp-run-python' project, specifically in how Python code executed via the 'runPython' or 'runPythonAsync' functions interacts with the JavaScript environment. The core issue is improper isolation or compartmentalization (CWE-653), where Python code is not sandboxed and can leverage Pyodide APIs to modify the JavaScript environment. Pyodide is a WebAssembly-based Python runtime that allows Python to run in the browser or JavaScript environments. Because the Python code can manipulate the JS environment, an attacker controlling Python code execution could hijack the MCP server, potentially performing malicious activities such as MCP tool shadowing—where attacker tools mimic or replace legitimate ones to evade detection. The vulnerability has a CVSS 3.1 base score of 5.8 (medium severity), reflecting network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), user interaction required (UI:R), scope changed (S:C), and low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L). The 'mcp-run-python' project is archived and unlikely to receive patches, leaving users exposed unless they migrate or implement mitigations. No known exploits have been reported in the wild, but the potential for server hijacking and environment manipulation poses a significant risk. The vulnerability affects all versions (indicated as '0' in affectedVersions), implying the entire project is vulnerable. The lack of patch links confirms no official fix is available. This vulnerability is particularly relevant for environments that integrate Python execution within JavaScript contexts using Pyodide or similar technologies, especially where untrusted Python code might be run. Attackers would need to trick users into executing malicious Python code or gain access to the Python execution environment, which requires user interaction and increases attack complexity.

For European organizations, the impact of CVE-2026-25905 depends on their use of the 'mcp-run-python' project or similar Python-in-JavaScript execution environments leveraging Pyodide. Organizations using this tool for server-side or client-side automation, scripting, or integration could face risks of server hijacking, leading to unauthorized control over MCP servers. This could result in data manipulation, unauthorized access to sensitive information, or disruption of services. The ability to perform tool shadowing means attackers could evade detection by mimicking legitimate tools, complicating incident response. Given the medium severity and requirement for user interaction, the threat is more pronounced in environments with less stringent user controls or where users are prone to executing untrusted code. European sectors with high reliance on software development, research, and digital services—such as finance, telecommunications, and government—could face operational and reputational damage if targeted. The archived status of the project means no official patches will be forthcoming, increasing the risk for organizations that continue to rely on it. Additionally, the vulnerability could be leveraged as part of multi-stage attacks, increasing overall threat severity.

1. Immediately discontinue use of the 'mcp-run-python' project in production environments, especially where untrusted Python code execution is possible. 2. Migrate to actively maintained alternatives that provide proper isolation between Python and JavaScript execution contexts, ensuring sandboxing and compartmentalization. 3. Implement strict input validation and code signing for any Python code executed within JavaScript environments to prevent execution of malicious scripts. 4. Use containerization or virtualization techniques to isolate Python runtime environments from core application logic and JavaScript environments. 5. Monitor MCP server logs and runtime behavior for anomalies indicative of environment manipulation or tool shadowing, employing behavioral analytics where possible. 6. Educate developers and users about the risks of executing untrusted Python code in mixed-language environments and enforce policies restricting such practices. 7. If migration is not immediately feasible, consider network segmentation and access controls to limit exposure of MCP servers to untrusted users or networks. 8. Regularly audit dependencies and third-party projects for maintenance status and known vulnerabilities to avoid reliance on archived or unsupported software.